<H2>How do I debug with SSL?</H2>

<p> While Jetty is normally well behaved, there are times when it is necessary to
debug problems. For information on how to set up general debugging options go to the <a href="/jetty/tut/logging.html#debugging"> tutorial page </a>. The following are some hints for debugging when using SSL.


<h3>JSSE</h3>
<p> As described in the JSSE FAQ, there is a debug facility built into JSSE controlled by the javax.net.debug property.
<p> Assuming that you've got JSSE configured properly you will be able to use it as follows, you will need to edit the etc/demo.xml as described in <a href="../JsseSSL.html">The JSSE SSL doco</a>.
<p> To get help use:
<pre>
JAVA_OPTIONS='-Djavax.net.debug=help' ./bin/jetty.sh run
</pre>
<p> You will get something like this:
<pre>
all         turn on all debugging
ssl         turn on ssl debugging

The following can be used with ssl:
        record      enable per-record tracing
        handshake   print each handshake message
        keygen      print key generation data
        session     print session activity

        handshake debugging can be widened with:
        data        hex dump of each handshake message
        verbose     verbose handshake message printing

        record debugging can be widened with:
        plaintext   hex dump of record plaintext
</pre>
<h4>example</h4>
<pre>
JAVA_OPTIONS='-Djavax.net.debug=ssl,handshake,data' ./bin/jetty.sh run
</pre>

<P>
<h3>General SSL</h3>
<p> Assuming you've got the excellent (in a Bill&Ted way) openssl package installed, you can use it's s_client utility to help debug an SSL setup.

<p> To get help use:
<pre>
man s_client
</pre>
<p> or:
<pre>
openssl s_client -help
</pre>

<h4>example</h4>
<p> When run against a server using the expired test certificate the following is generated.
<font size="-1">
<pre>
bretts@london[7538]: openssl s_client -showcerts -connect localhost:8443
CONNECTED(00000003)
depth=0 /C=Unknown/ST=Unknown/L=Unknown/O=Mort Bay Consulting/OU=Open Source Development/CN=Jetty Server
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=Unknown/ST=Unknown/L=Unknown/O=Mort Bay Consulting/OU=Open Source Development/CN=Jetty Server
verify error:num=10:Certificate has expired
notAfter=Jan 20 13:55:44 2001 GMT
verify return:1
depth=0 /C=Unknown/ST=Unknown/L=Unknown/O=Mort Bay Consulting/OU=Open Source Development/CN=Jetty Server
notAfter=Jan 20 13:55:44 2001 GMT
verify return:1
---
Certificate chain
 0 s:/C=Unknown/ST=Unknown/L=Unknown/O=Mort Bay Consulting/OU=Open Source Development/CN=Jetty Server
   i:/C=Unknown/ST=Unknown/L=Unknown/O=Mort Bay Consulting/OU=Open Source Development/CN=Jetty Server
-----BEGIN CERTIFICATE-----
MIICjjCCAfcCBDny8eAwDQYJKoZIhvcNAQEEBQAwgY0xEDAOBgNVBAYTB1Vua25v
d24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xHDAaBgNVBAoT
E01vcnQgQmF5IENvbnN1bHRpbmcxIDAeBgNVBAsTF09wZW4gU291cmNlIERldmVs
b3BtZW50MRUwEwYDVQQDEwxKZXR0eSBTZXJ2ZXIwHhcNMDAxMDIyMTM1NTQ0WhcN
MDEwMTIwMTM1NTQ0WjCBjTEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5r
bm93bjEQMA4GA1UEBxMHVW5rbm93bjEcMBoGA1UEChMTTW9ydCBCYXkgQ29uc3Vs
dGluZzEgMB4GA1UECxMXT3BlbiBTb3VyY2UgRGV2ZWxvcG1lbnQxFTATBgNVBAMT
DEpldHR5IFNlcnZlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtfU06Yq0
Kgg/1PB/koBUVstoVZXunnpphJEtuC4MSD/ToBywEBtxgH+kqxU5PouY+D8q7F2e
mhnAUkBOBBxiB5FhSVxAEMFgwRW2xY4KpEzHfoNv4D09dXqHpb7QytW7wh1JCWwJ
/NxFyuDNvhJyuKHITt9UK5Y0Sq9QZN31YBECAwEAATANBgkqhkiG9w0BAQQFAAOB
gQA9ETZCa9GY6sBA2tCqD9s+aLVU8TijVuQkR3djXDLo4b9IeiWmyWWzo+pOF3Mi
7sO41rZoli5blTepQ6TwvnzgBXjkNbttcJPKGzc9qg+WT53wq2dpiYE/UbFDzUTG
AapPu7TOQUxym81QgP+JcD7nvrT4VlvP17wXcSJ4P2pzPg==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=Unknown/ST=Unknown/L=Unknown/O=Mort Bay Consulting/OU=Open Source Development/CN=Jetty Server
issuer=/C=Unknown/ST=Unknown/L=Unknown/O=Mort Bay Consulting/OU=Open Source Development/CN=Jetty Server
---
No client certificate CA names sent
---
SSL handshake has read 1000 bytes and written 248 bytes
---
New, TLSv1/SSLv3, Cipher is EXP-RC4-MD5
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : EXP-RC4-MD5
    Session-ID: 3B079FD18A6267CDC768F2BD0251E0B2EE8E2E9...
    Session-ID-ctx: 
    Master-Key: 9AD848E83549CF9835747EC287876579D95F3D69A64B9DB8E9...
    Key-Arg   : None
    Start Time: 990355411
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
</pre>
</font>
<BR><BR>
<font size="-1">Author: Brett Sealey.<br>
Last updated: 2003 April 4th
</font>


<P>

<A HREF="index.html" TITLE="Back to JettyFAQ"><IMG SRC="/jetty/images/info_sm.gif" BORDER="0"><BR
CLEAR="bottom"> JettyFaq</A>
<BR><BR>
